Prototype authentication with veda-auth-central Keycloak

[smohiudd]

What

The veda-auth-central team is working on a SSO solution using Keycloak. This will eventually be the authentication solution for all VEDA services.

@alukach started a sample app which reflects how our APIs may use veda-auth-central Keycloak authentication. This solution needs to be prototyped in the Veda STAC API in place of our current Cognito authentication.

PI Objective

Objective DS-2: STAC Admin NASA-IMPACT/veda-architecture#454

Acceptance Criteria

Veda-auth-central authentication integrated with the following:

• [x] veda-backend STAC transactions in deployed to dev
• [x] Establish list of groups and scopes to be used in VEDA STAC and Ingest APIs
• [x] Changes implemented in veda-backend to use veda-auth-central (deployed to test stack)
• [x] All endpoints are tested

[smohiudd]

From the veda-auth-central team:

• API docs http://3.147.103.56:8081/swagger-ui/index.html
• Sample app https://github.com/NASA-IMPACT/veda-auth-central/tree/main/veda-app-samples/veda-react-app

[smohiudd]

Notes from discussion with Auth Central team Aug 2 meeting:

• will use PKCE auth flow for STAC API
• scopes will be injected into access token
• @lahirujayathilake will integrate auth central into sample FastApi app. Similar auth integration will used for other FastApi based apps such as STAC Api and Ingest Api
• veda-auth-central will use group and roles in their backend but will map to scopes for STAC Api, Ingest Api and Grafana

[smohiudd]

Prior to veda-auth-central integration with veda-backend we'll need to determine the appropriate Group and Scopes that will be needed.

There are currently six services in veda that require auth:

1. STAC api
2. Ingest API.
3. Workflows API
4. STAC Admin
5. SM2A
6. Grafana (Not using Scopes, only Groups)

Both STAC and Ingest api services allow us to create, update & delete STAC records in the catalog.

Should we have the same Scopes for both APIs? for example (note: @alukach I'm not sure if this is the correct naming convention for scopes):

[
  "veda:stac:read",
  "veda:stac:create",
  "veda:stac:update",
  "veda:stac:delete"
]

[smohiudd]

See this spreadsheet for group and scope details for the applications listed above: https://docs.google.com/document/d/1vwqLwVSZH6ZbofWFcLC9CDVueynoVHHHCPdZLK0n1J8/edit#heading=h.pqt43d9p5xzt

[smohiudd]

Draft PR: https://github.com/NASA-IMPACT/veda-backend/pull/424 Deployed to: https://stacadmin.openveda.cloud/api/stac/docs, https://stacadmin.openveda.cloud/api/ingest/docs

[smohiudd]

Following ADR review meeting on Aug 29 (Meeting notes), the veda auth central team will be working with technical teams to validate the current auth approach or work on an alternative. Given that changes to veda-auth-central are possible, I suggest putting the prototyping on hold until there is more certainty.

[smohiudd]

veda-auth-central has been integrated into the stac and ingest endpoints in this stack: https://stacadmin.openveda.cloud/api/stac/docs